Protect Your Web App

Communication on the Internet is susceptible to eavesdropping and malicious tampering. The Amazon Mobile App Distribution Program recommends you take action to protect customers using the web apps you submit. The best thing you can do to secure your web apps is to use HTTPS.

Note: Development materials and tools referenced on this page are provided by third parties, not by Amazon. Our links for these tools will take you to third-party sites.

What is HTTPS?

HTTPS is a protocol for secure communication across the Internet. It can protect the confidentiality of sensitive, confidential or personal information such as a phone numbers or addresses by encrypting all traffic between a client and a server. It also allows a client to validate that it is talking to the intended server.

Why use HTTPS?

Web apps that do not have HTTPS configured are susceptible to the following type of attacks:

Man-in-the-middle Attack:

This technique involves an attacker placing himself between the end consumer and your web app, serving content on behalf of your web app. A commonly used defense against such an attack combines authentication of the client with the use of strong encryption between the client and server using HTTPS.

Sniffing & Eavesdropping:

This technique involves an attacker intercepting or logging network traffic to capture personal user information such as passwords, user Ids etc. By using a secure HTTPS connection, these techniques will not reveal personal information as the information is encrypted within the secure connection.

Amazon Web App Security

In addition to recommending the use of SSL for all apps, Amazon requires that web pages that use either In-App Purchasing or require authentication be hosted over SSL.

Permissions Security Requirements

To prevent fraudulent In-App transactions we require that the pages that use the Amazon In-App Purchasing API be completely secure. To ensure that your app is secure, please ensure that the page triggering the IAP transaction and all its associated resources are served using SSL/HTTPS. This will prevent any man-in-the-middle attacks that can be used to attack your application while it is interacting with the Amazon In-App Purchasing API.

Linked Resources

If you are using any customer permissions, and are therefore required to host your app pages over SSL, we recommend that all of your linked resources are also hosted over SSL.

Prior to submitting an application that uses In-App Purchasing, please ensure that any third party components used by the page triggering the IAP transaction are served securely as well.

Check for common components like ad networks that can sometimes create an iframe that is not served securely thereby causing the Amazon In-App Purchase API to fail by throwing an exception. Additionally, Social media controls can also inadvertently serve non-secure content, which would in-turn restrict access to the Amazon In-App Purchasing API.

Exception Handling for In-App Purchasing SSL Failures

If the IAP call is triggered by a page that does not meet the security requirement as described above, a global exception is thrown by the Amazon framework. You can catch this exception by supplying a handler to the window.onerror method.

Please ensure that you handle this exception in your app appropriately by notifying the end customer of the failure. Since this is effectively a fatal error, it is important that you test your IAP transactions prior to submitting it to our Appstore.

How to Implement HTTPS

A typical implementation of HTTPS provides both confidentiality and server authentication. This means:

The client can be sure it's talking to the intended server.

The communication between the client and server is encrypted, so others can't intercept it.

Both client and server have assurance that messages were not altered in transit.

Deploy and configure a simple web app to use HTTPS on Amazon S3:

Setting up HTTPS is simple on Amazon S3 using the existing wildcard certificate using the following steps:

Log in to the S3 console.

Create a logging bucket for your app(s). Note that it must be in the same region as your app hosting bucket. This bucket can be shared across multiple apps.

Create a bucket to host your app code, selecting a region. Note that the bucket name should be DNS compliant per: AWS Bucket Restrictions

Enable bucket logging when creating the app hosting bucket, specifying the target bucket and (optionally) a prefix for your app.